Tests for product review permissions, simplify permission checks (APIv3).
This commit is contained in:
barryhughes
parent
401f4c0d0e
commit
be2eac5637
|
|
@ -149,10 +149,7 @@ class WC_REST_Product_Reviews_Controller extends WC_REST_Controller {
|
|||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function get_item_permissions_check( $request ) {
|
||||
$id = (int) $request['id'];
|
||||
$review = get_comment( $id );
|
||||
|
||||
if ( $review && ! wc_rest_check_product_reviews_permissions( 'read', $review->comment_ID ) ) {
|
||||
if ( ! wc_rest_check_product_reviews_permissions( 'read', (int) $request['id'] ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
|
|
@ -180,10 +177,7 @@ class WC_REST_Product_Reviews_Controller extends WC_REST_Controller {
|
|||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function update_item_permissions_check( $request ) {
|
||||
$id = (int) $request['id'];
|
||||
$review = get_comment( $id );
|
||||
|
||||
if ( $review && ! wc_rest_check_product_reviews_permissions( 'edit', $review->comment_ID ) ) {
|
||||
if ( ! wc_rest_check_product_reviews_permissions( 'edit', (int) $request['id'] ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_edit', __( 'Sorry, you cannot edit this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
|
|
@ -197,10 +191,7 @@ class WC_REST_Product_Reviews_Controller extends WC_REST_Controller {
|
|||
* @return WP_Error|boolean
|
||||
*/
|
||||
public function delete_item_permissions_check( $request ) {
|
||||
$id = (int) $request['id'];
|
||||
$review = get_comment( $id );
|
||||
|
||||
if ( $review && ! wc_rest_check_product_reviews_permissions( 'delete', $review->comment_ID ) ) {
|
||||
if ( ! wc_rest_check_product_reviews_permissions( 'delete', (int) $request['id'] ) ) {
|
||||
return new WP_Error( 'woocommerce_rest_cannot_delete', __( 'Sorry, you cannot delete this resource.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) );
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
|
||||
use Automattic\WooCommerce\RestApi\UnitTests\Helpers\ProductHelper;
|
||||
|
||||
/**
|
||||
* Tests relating to the Product Reviews controller in APIv3.
|
||||
|
|
@ -21,12 +22,127 @@ class WC_REST_Product_Reviews_Controller_Tests extends WC_REST_Unit_Test_Case {
|
|||
*/
|
||||
private $editor_id;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
*/
|
||||
private $customer_id;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
*/
|
||||
private $review_id;
|
||||
|
||||
public function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$this->sut = new WC_REST_Product_Reviews_Controller();
|
||||
$this->shop_manager_id = self::factory()->user->create( array( 'role' => 'administrator' ) );
|
||||
$this->editor_id = self::factory()->user->create( array( 'role' => 'editor' ) );
|
||||
$this->customer_id = self::factory()->user->create( array( 'role' => 'customer' ) );
|
||||
$this->review_id = ProductHelper::create_product_review(
|
||||
ProductHelper::create_simple_product()->get_id(),
|
||||
'Pretty good, but not suitable for deep-sea engineering.'
|
||||
);
|
||||
}
|
||||
|
||||
public function test_permissions_for_creating_product_reviews() {
|
||||
$api_request = new WP_REST_Request( 'POST', '/wc/v3/products/reviews' );
|
||||
|
||||
wp_set_current_user( $this->editor_id );
|
||||
$this->assertEquals(
|
||||
'woocommerce_rest_cannot_create',
|
||||
$this->sut->create_item_permissions_check( $api_request )->get_error_code(),
|
||||
'A user lacking edit_products permissions (such as an editor) cannot create product reviews.'
|
||||
);
|
||||
|
||||
wp_set_current_user( $this->shop_manager_id );
|
||||
$this->assertTrue(
|
||||
$this->sut->create_item_permissions_check( $api_request ),
|
||||
'A user (such as a shop manager) who has edit_products permissions can create product reviews.'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @testdox Ensure attempts to retrieve individual product reviews are subject to appropriate permission checks.
|
||||
*/
|
||||
public function test_permissions_for_retrieving_a_single_product_review() {
|
||||
$api_request = new WP_REST_Request( 'GET', '/wc/v3/products/reviews' . $this->review_id );
|
||||
$api_request->set_param( 'id', $this->review_id );
|
||||
|
||||
wp_set_current_user( $this->customer_id );
|
||||
$this->assertEquals(
|
||||
'woocommerce_rest_cannot_view',
|
||||
$this->sut->get_item_permissions_check( $api_request )->get_error_code(),
|
||||
'A user lacking moderate_comments permissions (such as a customer) cannot retrieve a product review.'
|
||||
);
|
||||
|
||||
wp_set_current_user( $this->editor_id );
|
||||
$this->assertTrue(
|
||||
$this->sut->get_item_permissions_check( $api_request ),
|
||||
'A user (such as a shop manager) who has edit_products permissions can retrieve a product review.'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @testdox Ensure attempts to retrieve product reviews are subject to appropriate permission checks.
|
||||
*/
|
||||
public function test_permissions_for_retrieving_multiple_product_reviews() {
|
||||
$api_request = new WP_REST_Request( 'GET', '/wc/v3/products/reviews' );
|
||||
|
||||
wp_set_current_user( $this->customer_id );
|
||||
$this->assertEquals(
|
||||
'woocommerce_rest_cannot_view',
|
||||
$this->sut->get_items_permissions_check( $api_request )->get_error_code(),
|
||||
'A user lacking moderate_comments permissions (such as a customer) cannot retrieve product reviews.'
|
||||
);
|
||||
|
||||
wp_set_current_user( $this->editor_id );
|
||||
$this->assertTrue(
|
||||
$this->sut->get_items_permissions_check( $api_request ),
|
||||
'A user (such as a shop manager) who has edit_products permissions can retrieve product reviews.'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @testdox Ensure attempts to update product reviews are subject to appropriate permission checks.
|
||||
*/
|
||||
public function test_permissions_for_updating_product_reviews() {
|
||||
$api_request = new WP_REST_Request( 'PUT', '/wc/v3/products/reviews/' . $this->review_id );
|
||||
$api_request->set_param( 'id', $this->review_id );
|
||||
|
||||
wp_set_current_user( $this->editor_id );
|
||||
$this->assertEquals(
|
||||
'woocommerce_rest_cannot_edit',
|
||||
$this->sut->update_item_permissions_check( $api_request )->get_error_code(),
|
||||
'A user lacking edit_products permissions (such as an editor) cannot update product reviews.'
|
||||
);
|
||||
|
||||
wp_set_current_user( $this->shop_manager_id );
|
||||
$this->assertTrue(
|
||||
$this->sut->update_item_permissions_check( $api_request ),
|
||||
'A user (such as a shop manager) who has edit_products permissions can update product reviews.'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @testdox Ensure attempts to delete product reviews are subject to appropriate permission checks.
|
||||
*/
|
||||
public function test_permissions_for_deleting_product_reviews() {
|
||||
$api_request = new WP_REST_Request( 'DELETE', '/wc/v3/products/reviews/' . $this->review_id );
|
||||
$api_request->set_param( 'id', $this->review_id );
|
||||
|
||||
wp_set_current_user( $this->editor_id );
|
||||
$this->assertEquals(
|
||||
'woocommerce_rest_cannot_delete',
|
||||
$this->sut->delete_item_permissions_check( $api_request )->get_error_code(),
|
||||
'A user lacking edit_comment permissions (such as an editor) cannot delete a product review.'
|
||||
);
|
||||
|
||||
wp_set_current_user( $this->shop_manager_id );
|
||||
$this->assertTrue(
|
||||
$this->sut->delete_item_permissions_check( $api_request ),
|
||||
'A user (such as a shop manager) who has the edit_comment permission can delete a product review.'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue